JavaScriptSecurity

Mini Shai-Hulud Hits @antv npm: 16M Downloads Poisoned

18 views0
npm package box with red warning symbol showing supply chain attack on @antv ecosystem
TeamPCP's Mini Shai-Hulud worm compromised 323 npm packages in the @antv ecosystem on May 19, 2026
ByteBotBy
Share

TeamPCP’s Mini Shai-Hulud worm struck again. On May 19, a compromised npm maintainer account published 637 malicious package versions across 323 packages in a 22-minute automated burst, exposing roughly 16 million combined weekly downloads to credential-stealing malware. If your CI pipeline ran npm install anywhere near 01:39–02:18 UTC on May 19, treat your credentials as compromised until proven otherwise.

How the Attack Worked

The attacker compromised the atool npm account, which has publish rights to the @antv visualization scope and a handful of standalone libraries. From there, it was automated: 637 malicious versions published in two waves over 22 minutes, each carrying a 498KB obfuscated JavaScript payload triggered by npm’s preinstall hook and executed via the Bun runtime.

What made this wave more dangerous than past attacks is what the malware did once inside a CI runner. It located the GitHub Actions Runner.Worker process using /proc scanning, then read its memory directly to extract secrets — including ones GitHub marks as masked. Log redaction did nothing. Every credential that passed through the runner during that build was exposed.

The malware also forged SLSA Build Level 3 provenance. It stole an OIDC token from runner memory, used it to obtain a valid signing certificate from Sigstore’s Fulcio CA, and signed the malicious package. For teams that added SLSA verification specifically to prevent supply chain tampering, the check passed. The cryptographic attestation was real — the package was still a weapon.

Which Packages Were Hit

The @antv scope took the brunt: @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, @antv/data-set, and @antv/scale (2.2M weekly downloads alone). But the blast radius extended well beyond Alibaba’s data visualization stack. echarts-for-react (3.8M weekly downloads), size-sensor (4.2M), and timeago.js (1.5M) were compromised through the same atool maintainer account.

Any version published before May 19, 2026 at 01:39 UTC is clean. GitHub has removed the malicious versions and revoked 61,274 npm granular access tokens, but that does not un-exfiltrate credentials that were already stolen.

Check If You’re Affected

Run npm audit — npm will flag the compromised versions. For deeper coverage, run a Snyk scan:

snyk test --file=package-lock.json

Check your lockfile for @antv packages or the standalone libraries listed above, and compare install timestamps against the attack window. Also search your GitHub organization for any repositories whose description reads niagA oG eW ereH :duluH-iahS — that reversed Dune quote is the marker the malware plants when it creates a public repo using your stolen token as a data dead-drop.

What to Do Right Now

Order matters. The malware drops a daemon that monitors npm and GitHub tokens every 60 seconds. Remove persistence mechanisms before rotating credentials, or the daemon will intercept newly issued tokens immediately.

  1. Remove persistence artifacts. Check for .claude/settings.json with a SessionStart hook, .vscode/tasks.json with a folderOpen trigger, ~/.local/share/kitty/cat.py (the C2 daemon), and injected GitHub Actions workflows (look for a tampered codeql.yml).
  2. Clean your dependencies. Delete node_modules entirely and reinstall with --ignore-scripts:
rm -rf node_modules && npm install --ignore-scripts
  1. Rotate all credentials. npm tokens, GitHub PATs, AWS access keys, GCP service account tokens, Azure principals, Kubernetes service account tokens, Vault tokens, and SSH keys. The malware sweeps 130+ file paths and environment variables.
  2. Audit your CI logs for outbound connections to t.m-kosche.com or unexpected GitHub API calls with a python-requests/2.31.0 User-Agent.

The Context You Need

This is the second major npm attack wave in ten days. On May 12, TeamPCP released the Shai-Hulud worm’s source code publicly and launched a $1,000 Monero “supply chain attack contest” on BreachForums, explicitly inviting copycats to maximize downstream damage. The first copycat campaigns appeared within days — attribution on this AntV wave remains unclear.

The same campaign also breached GitHub’s own infrastructure. A poisoned Nx Console VS Code extension live in the Marketplace for roughly 11 minutes on May 18 gave attackers access to an employee’s credentials. GitHub confirmed on May 20 that approximately 3,800 internal repositories were exfiltrated as a result.

The SLSA provenance forgery is the real story here. The security community has pushed SLSA attestation as the answer to supply chain attacks for two years. TeamPCP just demonstrated that SLSA is only as strong as your build environment’s ability to keep OIDC tokens out of attacker hands — which is not currently guaranteed. Microsoft’s full technical analysis is worth reading for the complete attack chain. In the meantime, adding --ignore-scripts to your CI npm installs is no longer optional.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:JavaScript